As you’re well aware, cyber risk is increasing. It would be impossible for it not to, considering the very digital world we live in. Hackers are always looking for new ways to exploit weaknesses. For every defense you build with people, processes, and technology, they are working just as hard to crack it.
So, how prepared are you for cyber risk? It’s a question you ask yourself and often get asked by your team and leadership. Being prepared in the 21st century ties to cyber resilience and the ability to keep operations running should an incident occur. Cyber risk and its consequences directly impact business continuity. Hackers seize networks, causing disruptions from small businesses to major healthcare centers.
If you want to be better prepared, there are many things you can do. They relate to people, processes, and technology and intertwine. A critical component of this conversation is understanding cyber risk and how well you’re addressing the major security domains. We’ll start by looking at the 2023 Cybersecurity Maturity Report to determine how prepared the industry is, in general, followed by some tactical insights.
About the Cybersecurity Maturity Report
The report included cyber assessment data covering 11 market sectors and 15 geographic areas. The objective was to define the capabilities of industries and countries to address seven core security domains. In each domain, there was a measurement of maturity based on insights and findings.
The seven domains were:
- Application-level security: Review of the security measures at the application level and their ability to prevent code or data within the app from being stolen.
- Cross-organizational policies, procedures, and governance: Evaluation of IT security governance authorization and if security strategies align with business objectives and regulations.
- Identity access management (IAM) and remote access: Assessment of if identities have access to the right resources.
- Network-level security: Appraisal of all the protections of the network (e.g., access control, antivirus software, firewalls, VPN, etc.).
- Security operations monitoring and incident response: Identification and analysis of the response should an incident occur.
- Sensitive data and information management: Classification, encryption, and protection of sensitive data that must be kept private.
- Servers, network equipment, and endpoint security: Addressing threats from network endpoints, including workstations, devices, and servers.
Each of these has a significant and unique role in cybersecurity and protecting the assets within an organization.
The Report Results and What They Mean for Mitigating Cyber Risk and Improving Maturity
The report offers insight into what industries and areas are the most prepared. Within these findings, some takeaways could help you strengthen your cybersecurity defenses.
Regulatory Structures Don’t Always Equate to Better Preparedness
In the ratings, the financial sector performed well. The researchers attribute this, in part, to the many regulations they must follow. In addition, they cite the risk of financial loss as a good motivator for financial institutions to implement robust cybersecurity strategies.
However, healthcare didn’t fare as well. It’s also a highly regulated industry that must follow the rules of HIPAA and other regulations. Healthcare is a huge target for hackers because of its valuable data and legacy system usage. Healthcare cybersecurity still needs more work to be prepared.
Size of the Organization Impacts Maturity
It would be easy to think that larger organizations have greater maturity, but these enterprises have a larger attack surface. They also have more people and technology to manage. Further, these companies may struggle with understanding threats and the value of cybersecurity. It’s actually something cyber leadership has to oversee, and the job of CISOs there is high pressure.
Small and medium-sized businesses scored better, but they aren’t immune. SMBs face many attacks, but many have invested in cybersecurity efforts. They may not have the internal resources, so they partner with cybersecurity management firms.
The researchers concluded you don’t need a huge budget to achieve maturity. You just need to know how to spend it wisely.
Takeaways on Application-Level Security
- Finance apps had the most secure applications, as they must be hyper-vigilant to ward off attacks to seize customer information.
- Technical information disclosure and detailed error messages were prevalent vulnerabilities in this domain.
- Retail apps scored low here, which isn’t surprising since the pandemic forced the industry to adapt and change to meet consumer preferences. In a rush to do so and ensure high usability, companies may have overlooked security controls.
Insights on Cross-Organization Policies, Procedures, and Governance
- The major headline here is that insufficient security update policy was the leading reason for meeting maturity benchmarks. Without this, organizations have vulnerabilities that hackers can easily target and exploit.
- Top-down approaches to cybersecurity didn’t rank well in maturity. Leadership must be in the loop, but policies, procedures, and governance are shared responsibilities.
IAM and Remote Access Notable Findings
- There was no surprise on why industries or regions struggle here. The top reasons were weak password policies and authentication. When these things aren’t strong, cybercriminals don’t need to hack; they can just log into the system with ease.
- There is often a fine line between controlling access and ensuring people have what they need to perform their job. It’s something every company has to consider. When crafting access controls, you have to keep this balance in mind.
Network Level Security Highlights
- Network-level security immaturity is the result of configuration and interface failures. First, companies are exposing administrative and sensitive interfaces to the Internet. Second, they are using outdated firewall rules.
- Why these failures? The report determined that technology companies performed poorly. The reasoning behind this has nothing to do with aptitude or technology. It’s a people problem, which is at the heart of most cybersecurity issues. Those in tech companies certainly know about the need to maintain network-level security, but they think it’s beneath them, as it’s mundane configuration work. Thus, it’s not incompetence that’s creating the issue. Rather, it’s one of arrogance.
- Findings in this domain also indicated the continuing impact of the pandemic and the need for remote work. Some of this was done in haste, so it’s a critical component to put up for review.
Security Operations Monitoring and Incident Response Data Points
- A key finding revealed rampant insufficient monitoring of authentication events and intrusive activities. Without proper monitoring, this line of defense is weak.
- Security operations monitoring and incident response have to evolve, with support from technology, people, and processes. It’s a long-term investment that organizations must make to improve their maturity.
Sensitive Data and Information Management Results
- Healthcare ranked very low here, even though they have the strictest policies around sensitive data. One of the frequent vulnerabilities found was that these organizations don’t have a process for removing sensitive data from file shares.
- Sensitive technical and business-critical data storage were also reasons why industries or regions scored low.
Servers, Network Equipment, and Endpoint Security Conclusions
- The biggest barrier to cybersecurity maturity in this domain was the use of outdated technology. Legacy systems pose significant threats, but many organizations still cling to them. Decommissioning these platforms and migrating data needs to be a priority for every industry.
- Endpoint security is a big pain point for enterprises. The number of endpoints keeps increasing and becoming more complex.
How Can You Achieve Greater Cybersecurity Maturity and Be More Prepared for Cyber Risk?
In reviewing all these insightful findings, there were several themes:
- Organizations still struggle with the basics of cybersecurity.
- Industries with regulatory requirements aren’t always mature.
- It’s challenging to balance access.
- Legacy technology is a significant cause of cyber risk.
- People are a key factor in protection, prevention, and resilience.
These big-picture learnings have implications for any cyber team. You can work out the processes to improve these and upgrade technology to bridge the gaps around monitoring and asset management.
However, even with the best practices, strategies, and tools, you’ll still struggle with maturity if you don’t address the “people problem.” Your team may consist of bright minds who are experts in technology and cybersecurity. All that brilliance won’t mean much if they can’t get out of their own way. They strive to be the smartest person in the room too often. In turn, this position keeps them from being communicators and collaborators.
It’s hard for technical people to develop people skills, but not impossible. They need a willingness to grow and change. Not all will. For those that do, you can help them evolve. When they do, your cyber maturity should improve.
So, how do you do it? The Secure Methodology™ is the answer.
The Secure Methodology and Improving Cyber Maturity
The Secure Methodology is a seven-step process that transforms technical people into people who can communicate effectively, collaborate better, and have greater awareness. I developed it in response to the “people problem” in cybersecurity. The Secure Methodology brings up areas that cyber leaders often ignore or overlook because they’re too complicated. People are complex, but with guided support, they can learn how to be better at their job and life!
If you want to learn more, check out the Secure Methodology course.